| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3723092.1617281658@warthog.procyon.org.uk>
Date: Thu, 01 Apr 2021 13:54:18 +0100
From: David Howells <dhowells@...hat.com>
To: Lv Yunlong <lyl2019@...l.ustc.edu.cn>
Cc: dhowells@...hat.com, davem@...emloft.net, kuba@...nel.org,
linux-afs@...ts.infradead.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] net/rxrpc: Fix a use after free in rxrpc_input_packet
Lv Yunlong <lyl2019@...l.ustc.edu.cn> wrote:
> In the case RXRPC_PACKET_TYPE_DATA of rxrpc_input_packet, if
> skb_unshare(skb,..) failed, it will free the skb and return NULL.
> But if skb_unshare() return NULL, the freed skb will be used by
> rxrpc_eaten_skb(skb,..).
That's not precisely the case:
void rxrpc_eaten_skb(struct sk_buff *skb, enum rxrpc_skb_trace op)
{
const void *here = __builtin_return_address(0);
int n = atomic_inc_return(&rxrpc_n_rx_skbs);
trace_rxrpc_skb(skb, op, 0, n, 0, here);
}
The only thing that happens to skb here is that it's passed to
trace_rxrpc_skb(), but that doesn't dereference it either. The *address* is
used for display purposes, but that's all.
> I see that rxrpc_eaten_skb() is used to drop a ref of skb.
It isn't.
> As the skb is already freed in skb_unshare() on error, my patch removes the
> rxrpc_eaten_skb() to avoid the uaf.
But you remove the accounting, which might lead to an assertion failure in
af_rxrpc_exit().
That said, rxrpc_eaten_skb() should probably decrement rxrpc_n_rx_skbs, not
increment it...
David
Powered by blists - more mailing lists